Inadequate digital defences could have bigger consequences for investors than stolen data. Mark Dunne looks at how it might derail efforts to decarbonise the planet.
When it comes to cybersecurity, no news is good news. Just ask the investors behind Colonial Pipeline, which transports around 2.5 million barrels of fuel across the US each day. The company hit the headlines in May when hackers took control of the system managing its pipeline, which led to rising prices and long queues at gas stations across the country.
To end the chaos, the company paid a $4.4m (£3.1m) ransom to the hackers. This is, unfortunately, not an isolated incident. Yahoo, Alibaba, Facebook, AT&T, Apple, Exxon Mobil, Toyota and Amazon have all been at the centre of similar hacking headlines.
But it is not just big caps that are targets. Indeed, in the UK alone there were 128 successful cyber attacks in May that we know about, with just over 100 in the month that followed. Investors, therefore, need to assess a potential investment’s cybersecurity policy along with the other ESG risks it considers.
And it appears that the impact of such a breach could be huge. Indeed, cybercrime costs companies around the world $6trn (£4.3trn) a year, HSBC says, and the bill could reach $10trn (£7.2trn) by 2025.
But hacking is not just about financial gain. Activists have employed such tactics to help further their cause with hacks connected with trying to overthrow the president of Belarus being one example. CCTV footage released over the summer showing the brutality within an Iranian jail is another.
It is, therefore, prudent to expect that other activist groups, and perhaps even terrorists, could target a country’s infrastructure, by cutting off its access to power or its supply of drinking water.
Colonial Pipeline is an example of where the hackers were not after information. “Data breaches are only one part of cybercrime,” says Margaret Childe, head of ESG, Canada for Manulife Investment Management. “There is also increased intent to disrupt company operations, with ransomware attacks becoming more common.
“It is not just about protecting personal information,” she adds. As the world gets greener, such attacks could switch from oil to disrupting renewable forms of energy. Back in 2019, US wind and solar energy generator sPower’s communication systems crashed after its digital defences were breached.
This made the company the victim of what is believed to be the first successful cyberattack on a renewable energy generator in the US. Although no homes or businesses lost power during the attack, it is proof that such companies are on hackers’ radars.
But it is not just about renewable energy. Manufacturing, transport and agriculture are industries that are playing a huge role in the transition to a low carbon economy and could hit investors hard if their defences are breached.
“Security is a main business threat, so it is across all sectors, no matter what you are investing in – energy, financial, healthcare – they are all vulnerable, all sectors have potential vulnerabilities,” Childe says.
On the agenda
The risks have become particularly acute given the rise in connectivity and the internet-of-things. Then there are the lockdowns inspired by the Covid pandemic, which have accelerated the digitalisation of business. More people are now working outside of the office and the technology has had to catch up. So, rising technical adoption has increased the risk of systems being hacked by people looking to hold a corporate or government to ransom.
“The transition to the cloud, accelerated by the pandemic with increased remote working, does require robust online defences,” Childe says. “With increased cloud infrastructure and digtalisation, companies need to ensure they have quick response capabilities and agility.
“All sectors need an IT system, so this infrastructure could be crucial to corporate operations,” she adds. It appears that with so many high-profile companies reporting attacks in recent years that the message of the seriousness of the issue is getting through to investors. “Cybercrime is high on the ESG agenda for investors because it is a risk that permeates all industries,” Childe says.
This could be why market watchers expect to see greater attention paid to the issue. Indeed, investment in cybersecurity is expected to grow by more than 7% annually over the next five years, HSBC says. This could be motivated by corporate losses blamed on cyberattacks being six times greater than they were 12 months ago.
Whatever the motivation, investment in this area is needed to win and maintain the support of investors. Confidence and trust are important for corporates, says Ian Burger, head of responsible investment at Newton Investment Management. “If you have vulnerable systems, you are jeopardizing potential future business,” he adds.
Yet throwing money at the problem may not be the answer. “Banks have robust security budgets, but more spending does not always mean more robust protection,” Childe says. “A cybersecurity strategy needs to be robust across many fronts, it is not simply a question of spend.”
Loose lips sink ships
So, the size of the digital security budget is not an efficient way of assessing the strength of a corporate’s digital security defences. Answering the question of what investors need to look for to decide if a risk is worth taking is not easy. “It can be difficult to get information from a company on its cybersecurity,” Childe says.
“It can be challenging for investors to ascertain the strength of cybersecurity within companies,” Childe adds. “They are concerned about attracting attention from hackers if they give out too much information.”
Maintaining investor confidence that a corporate’s systems and data are safe is a delicate balancing act, adds Burger. “There is a notion that corporates should not over emphasize the strength and virtues of their systems because it invites trouble,” he says.
“On the flip side, corporates need to give investors comfort that they are managing this area as effectively as they can. There is an element of putting your head above the parapet,” he adds.
One area to look at is how are a company’s staff being trained in this area. Employees are one of the biggest risks to the security of a corporate or project. In fact, the hackers in the Colonial Pipeline case were believed to have accessed the system by using an employee’s password. “A key part of a cybersecurity plan is employee training,” Childe says. “Companies are only as strong as their weakest link.”
“It is a fast-evolving space, in terms of the sophistication of the attacks and the sophistication of corporate defenses,” Burger says. This is why cybersecurity is one of Newton’s seven engagement themes, but there are other ESG issues on investors’ agendas.
“Around a decade ago, cybersecurity was higher up the investor agenda,” Burger says, “but other ESG matters, such as climate change, biodiversity, and diversity, have superseded it in terms of prominence.
“The counter to that is that cybersecurity is not just an ESG issue; it is a fundamental business consideration,” he adds. “That is perhaps the rationale behind why ESG-focused commentators are discussing it less in the public domain.” Cybersecurity is a megatrend along with issues such as automation and climate change.
“With the increased transition to the cloud, regulation and even impacts on elections, it’s clear that interest in cybersecurity is growing on all fronts,” Childe says. “There has been an increase in activity surrounding cybersecurity ETFs, which peaked following the US election in 2020.
“Data breaches were an issue throughout the election and that has pushed interest into this area, although flows are low compared to those tracking other sectors,” she adds.
Another way investors can gain exposure to what is expected to be a growing problem is to back the companies that are creating the solutions to protect corporates from criminal hackers, activists and terrorists.
There is a problem. Companies specialising in digital security are considered to be technology stocks and the potential of such stocks are reflected in their prices. “Valuations of the pure-play companies in this area are fairly stretched,” Burger says, “which takes them off many investors’ radar.”
Insurance is another way to gain exposure to this theme, but, like in the technology sector, there are issues. “It is an evolving space, which makes it challenging to understand what the potential impact could be,” Burger says.
The cyber insurance market is worth $5bn (£3.6bn), according to rating agency Standard & Poor’s, with some believing it could be worth $20bn (£14.5bn) over the next four years.
So, it is a growing market with the cost of insuring against a successful cyberattack rising on average by between 20% to 30% a year, Standard & Poor’s says.
On the issue of cybersecurity, Newton’s Burger favours younger businesses, saying that backing newer businesses has benefits when it comes to cybersecurity. “Some of the younger businesses we see coming into the sustainable space are as prepared as their more mature peers at getting to a position of comfort, due to the nature of being a young business.”